The Telecom Regulatory Authority of India (TRAI) has issued a new Direction instructing all Access Providers to mandatorily pre-tag every variable field used in SMS content templates for commercial communication.
The measure aims to eliminate the misuse of untagged variables, which has been a recurring avenue for phishing attempts and fraudulent insertion of unverified URLs or callback numbers into approved message templates.
Why the new tagging rule was introduced
Variable fields in SMS templates carry elements that change for each message—such as tracking links, URLs, app download links, or callback numbers—while the rest of the text remains fixed. TRAI’s investigations into unsolicited commercial communication (UCC) found that absence of predefined tagging allowed entities to insert:
- Non-whitelisted or harmful URLs
- Unapproved OTT/APK links
- Fraudulent callback numbers
These additions slipped through template checks because Access Providers could not identify or verify the variable portions. The gaps have been routinely exploited in phishing attacks, financial fraud, data theft, and other cyber incidents.
TRAI noted that earlier directions issued in February 2023 and May 2023, which required tagging and limiting variables, were not implemented by operators. Following multiple consultations—most recently in September 2025 with Access Providers and the Cellular Operators Association of India (COAI)—a standardized tag set was finalized.
Key requirements under TRAI’s latest Direction
The Direction dated 18 November 2025 mandates the following:
1. Mandatory pre-tagging of all variable fields
Every variable field must carry a descriptive tag indicating:
- Content type
- Purpose of use
- Applicable validation rule
Examples of approved tags include:
#url#— general web links#urlott#— OTT/APK/app download links#cbn#— callback numbers#email#— email placeholders#number#/#numeric#— numeric values#alphanumeric#— IDs or mixed-value fields (max 40 characters)
2. Validation and scrubbing
Access Providers must validate all tagged fields against pre-whitelisted:
- URLs and short URLs
- OTT and APK download links
- Mobile, landline, or toll-free callback numbers
Scrubbing systems must be enabled within 30 days.
3. Rules for new and existing templates
-
New templates: Only templates with correct tagging can be approved beginning 10 days after the Direction.
-
Existing templates: All must be modified to comply within 60 days from the start of tag-based scrubbing.
4. Logger-mode transition period
For the first 60 days after scrubbing begins:
- Messages will continue to be delivered
- Validation failures will be logged
After this period:
- Any message failing variable validation will be rejected and not delivered
5. Principal Entity communication
Access Providers must identify Principal Entities responsible for template failures and inform them about:
- Required corrective actions
- Consequences of continued non-compliance
6. Updated Code of Practice and reporting
Operators must:
- Submit progress reports every 15 days, and
- File updated Codes of Practice within 90 days
Expected impact on commercial communication
The Direction strengthens the framework introduced under the Telecom Commercial Communications Customer Preference Regulations (TCCCPR), 2018. By ensuring complete visibility of all variable fields and enforcing validation before delivery, TRAI aims to significantly reduce:
- Phishing attempts through SMS
- Fraudulent financial activity
- Abuse of registered templates
- Insertion of non-whitelisted links or numbers
The measure is expected to improve user safety and restore confidence in SMS channels used by banking, financial institutions, government bodies, and essential service providers.
Outlook
TRAI’s move marks one of the most significant tightening measures in India’s commercial messaging ecosystem. As operators implement the new tagging and scrubbing requirements, the industry is likely to see more consistent template governance, reduced fraud incidents, and clearer accountability from Principal Entities. The next few months will be crucial as Access Providers transition from logger mode to full enforcement.